My Assange/Snowden slash fic is big in Russia

A Russian botnet will not stop downloading my homoerotic story about Edward Snowden and Julian Assange. It was the middle of election season, I had recently broken up with my girlfriend, and half a bottle of Bombay Sapphire later I crapped out this break-up scene where Assange is emotionally abusive to Snowden.

If you haven’t already left to read that trainwreck out of morbid curiosity instead, let’s investigate this. This is just the blog of a sysadmin who occasionally does stand-up as a hobby. My readers are mostly friends and family, so I was surprised to see that my data transfer thus far this month was 3GB. When I decided to review my nginx access logs, I saw a lot of this:

5.188.210.60 - - [28/Feb/2019:18:06:21 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
5.188.210.69 - - [28/Feb/2019:18:16:22 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
5.188.210.70 - - [28/Feb/2019:18:31:29 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
5.188.210.66 - - [28/Feb/2019:18:50:59 -0500] "GET /?p=261 HTTP/1.0" 200 68303 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"

At the time I am currently writing this, that last entry is less than 10 minutes old. This log file only goes back to December 29th when I migrated to a new FreeBSD 12 host, so I don’t know how long it’s been going on, but at least that long.

I did a quick traceroute on a random one and saw it hopping through Stockholm. Uh oh. Let’s look closer.

% Abuse contact for '5.188.210.0 - 5.188.210.255' is 'alkonavtnetwork@gmail.com'

inetnum:        5.188.210.0 - 5.188.210.255
netname:        AlkonavtNetwork
descr:          Dedicated Servers & Hosting
remarks:        abuse contact: alkonavtnetwork@gmail.com [1]
country:        RU
admin-c:        BJA12-RIPE
org:            ORG-BJA2-RIPE
tech-c:         BJA12-RIPE
status:         SUB-ALLOCATED PA
mnt-by:         MNT-PINSUPPORT
created:        2018-07-22T18:47:38Z
last-modified:  2018-07-22T18:47:38Z
source:         RIPE

organisation:   ORG-BJA2-RIPE
org-name:       Bashilov Jurij Alekseevich
org-type:       OTHER
address:        Data center: Russia, Saint-Petersburg, Sedova str. 80. PIN Co. LTD (ru.pin)
abuse-c:        BJA13-RIPE
mnt-ref:        MNT-PINSUPPORT
mnt-by:         MNT-PINSUPPORT
created:        2015-12-17T21:42:47Z
last-modified:  2018-07-22T18:50:42Z
source:         RIPE # Filtered

person:         Bashilov Jurij Alekseevich
address:        111398, Russia, Moscow, Plehanova str. 29/1-90
phone:          +79778635845
nic-hdl:        BJA12-RIPE
mnt-by:         MNT-PINSUPPORT
created:        2015-12-16T04:19:25Z
last-modified:  2018-07-22T18:58:31Z
source:         RIPE

% Information related to '5.188.210.0/24AS44050'

route:          5.188.210.0/24
descr:          AlkonavtNetwork
origin:         AS44050
mnt-by:         MNT-PINSUPPORT
created:        2016-12-22T14:39:55Z
last-modified:  2018-07-22T18:52:24Z
source:         RIPE

Well, that includes all of the IP addresses in my last snippet. Hello, St Petersberg. Interesting that a hosting company would have a gmail address to report abuse to. Googling around, I see various blogs reporting spam coming from this IP address range. I’m not sure if this is basic spam, though. The short story in question heavily discusses Edward Snowden and Julian Assange as being in conspiracy with Russia. Did I hit a cross section of keywords they’re scraping for? Did I accidentally tell a true story?

Let’s do some grepping around here. I’ll omit all entries of my own IP addresses for bias and look at a couple other posts. That stupid Dunkin Donuts coffee gag I did? As of right now, 167 GET requests. The sequel to that Assange story with Jill Stein? 110 GET requests.

THE ASSANGE/SNOWDEN ONE HAS 20,061 REQUESTS.

19,876 of those are from the aforementioned network, being only 9 unique IP addresses. 6,800 of those are actually attempts to POST…

5.188.210.68 - - [27/Feb/2019:13:11:31 -0500] "POST /wp-comments-post.php HTTP/1.0" 302 0 "https://www.blakedrinks.beer/?p=261" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"

Akismet was forwarding these into void, I’m not sure what the payload was. I don’t even want comments on this blog anyway, so I disabled that functionality. There hasn’t been a post request since. Great Scott, I think they’re learning…

Well, let’s poke the bear and port scan one.

PORT      STATE    SERVICE            VERSION
25/tcp    filtered smtp
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
1580/tcp  filtered tn-tl-r1
3389/tcp  open     ssl/ms-wbt-server?
|_ssl-date: 2019-03-01T01:45:32+00:00; +3s from scanner time.
49152/tcp open     msrpc              Microsoft Windows RPC
49153/tcp open     msrpc              Microsoft Windows RPC
49154/tcp open     msrpc              Microsoft Windows RPC
49155/tcp open     msrpc              Microsoft Windows RPC
49156/tcp open     msrpc              Microsoft Windows RPC
49158/tcp open     msrpc              Microsoft Windows RPC
49159/tcp open     msrpc              Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

RDP is open to the internet. That’s fucking awesome. I’m definitely not feeling up to trying to connect to that. Given that these IP addresses are mostly sequential, I don’t think this is the product of malware.

5.188.210.60
5.188.210.62
5.188.210.64
5.188.210.66
5.188.210.67
5.188.210.68
5.188.210.69
5.188.210.70
5.188.210.71

I’m really not sure why those 9 IP addresses are downloading the same article over and over, roughly 5 times an hour. Reversing the search, they are not attempting to get or post to any other entry on my site.

I could set my firewall to reject those, but I want to see if this post gets more hits.

This was probably a bad idea.

Pwnt in 60 seconds.

Just opened the following happy little ticket with my dad’s webhost (and my former webhost).


My name’s Blake, I’m writing on behalf of my father W[nope], I’m a Linux systems administrator, just wanted to point out a few of the pitfalls with your WordPress 1 click install.

Since my sister asked for help installing the single most exploitable piece of software on the planet (which runs my own website), I at first lazily said “Let me do it” and tried to login to the install page as fast as possible. Well, as to be expected, bots had already hijacked the damn thing, okay.

I remove the folder, delete the database, create a new folder, and put an .htaccess file in only allowing my IP. Install fails because the folder is not empty.

Well shit. Okay. This time I start over just changing the permissions of the empty folder to 770 so anyone accessing the site will get forbidden. The one click install FIXED THE PERMISSIONS TO BE EXECUTABLE AGAIN.

Finally I had to just run the one click install, do watch ls and frantically rename the folder so I could secure it at my leisure.

Yes, I could have just manually installed WordPress, but I was just helping out and didn’t want to get stuck having to maintain this thing in the future. So the convenience of your automated service is nice.

Really, though, your one-click-install maybe shouldn’t thwart security practices when every bored basement python programmer is scraping wordpress sites.

My apologies for the crassness. Please forward this message to your infosec guy and have a laugh at my expense.

Another encrypted root on FreeBSD 9.x blog, multiple partitions with one key!

Yes, I’m bored enough to write a how-to article. I’m consolidating my own FreeBSD crypto strategy here because the advice I got from the other google’d blogs of other random open-source dorks mislead me I feel.

I’m totally geli…. There, now that I’ve alienated anyone who didn’t actually need help, an encrypted filesystem is a good thing for any paranoid weirdo who is afraid of his/her computer being stolen, confiscated (what have you been up to?), or poked at by prying roommates (mine are actually pretty cool). The average person has all kinds of saved passwords, credit card numbers, and hate letters their shrink told them to write but not actually send floating on their hard drive. This is serious stuff people, don’t let the monster in your closet steal it.

A lot of tutorials go for ZFS. Are you building a server for a Fortune 500 company that needs reliable mirrors? No? Then stawp. Are you building a regular desktop system using FreeBSD because GOOD GOD why do all the Linux distributions have to be so needlessly overmanaged? Then chances are you want a separate /home partition (at least) so your personal data survives any mood swing root formats. ZFS will over complicate our lives for that purpose, so let’s be old fashioned and boring.

Get a FreeBSD 9.1 installer that isn’t “minimal”. The DVD is safe that I know of. Begin an installation and when it asks you about partitioning, choose “Shell”. Make sure that $6 4GB USB flash drive you bought at Walmart is plugged in. I mentioned I’m that annoying guy who tells you to put /boot on flash right? No? Whoops, sorry.

gpart destroy -F da0
gpart destroy -F ada0

This kills any lingering boot code floating on your flash drive or your hard drive. Change devices as needed. If it errors out, that typically means there wasn’t any bootcode to kill, so just move forward.
gpart create -s gpt da0
gpart add -s 128 -t freebsd-boot da0
gpart add -t freebsd-ufs -l boot da0
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da0
newfs -U -O2 /dev/gpt/boot

Okay, so we added bootcode to the flash drive and formatted the rest of it’s space to FreeBSD’s native UFS. We’re going to use a keyfile and a password to unlock our hard drive, so if somebody manages to figure out our password or steal our keys (keep your boot close to your crotch), they only have half what they need to read that letter about how your Aunt Betty… nevermind. Moving on…

Let’s mount our flash drive and drop our encryption key on it. I personally named mine “errormesg”, because it amuses me, but will likely not stump anybody smart enough to attempt to crack a 256-bit AES standard. For the example I use ada0.key.

mount /dev/gpt/boot /mnt
dd if=/dev/random of=/mnt/ada0.key bs=4096 count=1

You can skip this entire step if you want. Just don’t use the -K flag for the geli init or the -k flag for the geli attach. You’ll then have a password-only encryption. Use something long and difficult, but that you can actually remember. I assume no responsibility for the loss of your pr0n collection.

kldload geom_eli
geli init -b -e AES-XTS -K /mnt/ada0.key -l 256 -s 4096 /dev/ada0
geli attach -k /mnt/ada0.key /dev/ada0
umount /dev/gpt/boot

You can change the encryption standard after the -e flag if you want and/or know what you’re doing. When the geom_eli driver loads, it should show if your motherboard supports hardware decryption or not. If you’re running applications that are data intensive (say, a database server), this might be relevant. Using a 7200rpm hard drive on a regular desktop machine with an Intel Atom, I can tell you I have no real problem with software decryption.

Anyway, we encrypted the hard disk device, rather than individual partitions under it. This means we don’t have to use a separate password/keyfile for each partition. Minimal headache! Go ahead and partition your hard drive using gpart. I have a 2TB, I did mine as follows:

gpart add -s 50G -t freebsd-ufs -l root ada0.eli
gpart add -s 8G -t freebsd-swap -l swap ada0.eli
gpart add -t freebsd-ufs -l home ada0.eli
newfs -U -O2 /dev/gpt/root
newfs -U -O2 /dev/gpt/home

You may require more partitions. Follow the example and adjust as needed. Now, mount root so we can continue with installation.

mount /dev/gpt/root /mnt
mkdir /mnt/bootdir
mount /dev/gpt/boot /mnt/bootdir

Hit ctrl+d to escape from the shell back to the installer. Continue as with any routine FreeBSD installation. Although you might want to mount /home as well if you’re adding users in the installer. When it asks you if you’d like to enter the shell to add any last minute options, say YES.

We have files to edit! You can use vi if you want, but being an emacs user, I can’t figure that thing out to save my friggin’ life. I use ee and cross my fingers. Add the following lines to /etc/fstab (adjust accordingly):

/dev/gpt/boot    /bootdir        ufs      rw,noatime    1    1
/dev/gpt/root    /            ufs      rw,noatime    1    1
/dev/gpt/home    /home            ufs      rw,noatime    0    0
/dev/gpt/swap    none            swap      sw        0    0

Now let’s rearrange some data:

mv /boot /bootdir
ln -s /bootdir/boot /boot
mv /bootdir/ada0.key /boot

Now create the file /boot/loader.conf and add the following lines to it:
geom_eli_load="YES"
geli_ada0_keyfile0_load="YES"
geli_ada0_keyfile0_type="ada0:geli_keyfile0"
geli_ada0_keyfile0_name="/boot/ada0.key"
vfs.root.mountfrom="ufs:/dev/ada0.elip1"

Now for some goofy reason, when it asks you for the passkey on boot, at least on my system, it kind of hangs at first. Mash the enter key until it says something about the password being wrong and you have 2 tries left. Now type the right password in. Hooray! Our system is booting to an encrypted root fs. Unless you plan on doing anything that requires access to /boot (modifying /boot/loader.conf, installing nvidia-driver, bulding a new kernel, etc.), you can safely unmount your flash drive, attach it to your keychain, and keep it in your pocket. If I kept FreeBSD 5 up for a year on an Intel Celeron 800mhz and FreeBSD 7 for nearly 2 years on an UltraSparc IIe, I think it’s safe to say that you can maintain good uptime and not need to plug that thing in very often. I do however suggest making a copy of that encryption keyfile and hiding it somewhere, unless you have a lot of faith in cheap flash drives. I don’t care if it’s a CD-R in your old Vanilla Ice CD case or an awkward email to your girlfriend that she doesn’t understand, put it somewhere. Nothing is permanent, especially flash memory.

Alright jokers, happy compiling.